The term global security refers to providing the authentication of users using the WebSphere administration functions, the use of Secure Sockets Layer (SSL), and the choice of user account repository.
In some
cases, the realm can be the machine name of a Local OS user registry. In this
case, all application servers must reside on the same physical machine. In
other cases, the realm can be the machine name of a Lightweight Directory
Access Protocol (LDAP) user registry. Because LDAP is a distributed user registry,
this allows for a multiple node configuration in a Network Deployment environment.
The basic requirement for a security domain is that the access ID returned
by the registry from one server within the security domain is the same access
ID that is returned from the registry on any other server within the same
security domain. The access ID is the unique identification of a user and
is used during authorization to determine if access is permitted to the resource.
You can override some portions of the configuration
at the server level.
Where multiple nodes and multiple servers within
a node are possible, you can configure certain attributes at a server level.
The attributes that are configurable at a server level include security enablement
for the server, Java 2 security manager enablement, and CSIv2/SAS authentication
protocol (RMI/IIOP security). You can disable security on individual application
servers while global security is enabled,
however, you cannot enable security on an individual application server while global security is disabled.
Where multiple nodes and multiple servers within a node
are possible, you can configure certain attributes at a server level. The
attributes that are configurable at a server level include security enablement
for the server, Java 2 security manager enablement, and CSIv2 and z/SAS authentication
protocol (RMI/IIOP security). You can disable security on individual application
servers while global security is enabled,
however, you cannot enable security on an individual application server while global security is disabled.
While application server security is disabled for user requests, administrative and naming security is still enabled for that application server so that the administrative and naming infrastructure remains secure. If cell security is enabled, but security for individual servers is disabled, J2EE applications are not authenticated or authorized. However, naming and administrative security is still enforced. Consequently, because naming services can be called from user applications, grant Everyone access to the naming functions that are required so that these functions accept unauthenticated requests. User code does not directly access administrative security except through the supported scripting tools.